I recently discovered a searchable Sarah Palin email archive thanks to a post I found on reddit. I was inspired by the comments to further increase the accessibility of the collection. That is why I’ve gathered them, converted them to plain text and plopped em’ into one compressed file. Enjoy!
So I’m browsing my news feeds this afternoon and what do I see? Reddit has apparently removed a top story that wasn’t favorable to their parent company. What was this story? That Sears seemed to be selling a grill to cook babies!
The story in itself is hilarious and disturbing. Even more disturbing isn’t the fact that Reddit tried to bury the story but rather the incident shouldn’t have happened in the first place.
A couple weeks ago (Aug. 6th) I found a couple XSS vulnerabilities in the Sears site and promptly reported them. After speaking with several supervisors and to Risk Management, I ended up being transferred to the Director of IT. He was very nice and quickly offered up his email so I could send in some examples. When I sent them I added that they probably weren’t the only holes in the site. I assumed that it would end in some sort of security audit of the site.
Fast forward a couple weeks. The company is now the laughing stock of the web due to another vulnerability. When I reported similar vulnerabilities in another Fortune 500 site, I received a reply that included the following -
The (redacted) is aware of the many threats to the security of consumer data and takes the protection of that data seriously. It is our goal to ensure that when consumers submit information that it reaches its destination safely, protected, and unchanged. We have taken proactive steps in the development of (redacted) to incorporate industry standards and best practices for the treatment of consumer information such as the use of SSL for the transmission of personal content and other measures, both active and passive. In addition, we have engaged recognized independent security firms to perform security testing of the site to identify any potential gaps or risks. Because of the number and types of reviews we have performed on the various elements of the site, we feel confident in its security. Nonetheless, we continue to review and monitor its behavior to provide our consumers with the highest levels security.
It went on to say that if I had any other concerns in the future, I could contact them again. They tell me that they’re confident in their sites security despite the fact I was actively seeking them out to report vulnerabilities.
Anyway, back to Sears. While no harm was done in this case, there most certainly could have been. It should serve as a lesson to companies such as the “confident” one above. Take both your users and their security seriously.
Macintosh customers continue to benefit from the spirit of cooperation between Apple and Microsoft, with new versions of Internet Explorer and Outlook Express adding to the growing number of ‘Macintosh-first, Macintosh-best’ products coming from Microsoft.
That quote was taken from Microsoft’s website as it appeared in 1996. I wonder how he feels about that “spirit of cooperation” now. He’s also quoted on another part of the site as saying IE is the best browser in the world.
del.icio.us
Digg
Facebook
Last.fm
Youtube